[Owasp-board] OWASP tied to trojaned Firefox Add-on

Matt Tesauro matt.tesauro at owasp.org
Fri Jul 16 15:43:34 UTC 2010


Paulo,

Nothing else to do.  This is perfect.  I knew I had seen an email about 
it but didn't have the skills to find it like you do.

BTW, Dave had the great idea to email Michael Coats since he now works 
for Mozilla and we determined that it wasn't an official OWASP project 
but probably Adam's post to the Phoenix list.

Here's what Michael had to say:
http://michael-coates.blogspot.com/2010/07/owasps-nonrole-in-backdoored-firefox.html

--
-- Matt Tesauro
OWASP Board Member
OWASP Live CD Project Lead
http://www.owasp.org/index.php/Category:OWASP_Live_CD_Project
http://AppSecLive.org - Community and Download site

On 7/16/10 6:03 AM, Paulo Coimbra wrote:
> Matt,
>
> I’ve gone through the tools I use to manage OWASP Projects and couldn’t
> find any record of this being an official OWASP Project.
>
> I’ve checked all my exchanged emails and couldn’t find anything that
> indicates we have set up such a project, although I have identified a
> thread in which you are involved that may or not be related to this
> issue. Please see the enclosed email.
>
> Additionally, we’ve built an OWASP Projects dashboard which is kind of a
> GPC repository for all OWASP Projects and we haven’t listed this project
> either.
>
> http://www.owasp.org/index.php/OWASP_Projects_Dashboard
>
> Please let me know whether or not I should take further action.
>
> Thanks,
>
> Paulo Coimbra,
>
> OWASP Project Manager <https://www.owasp.org/index.php/Main_Page>
>
> *From:* Matt Tesauro [mailto:matt.tesauro at owasp.org]
> *Sent:* quinta-feira, 15 de Julho de 2010 19:59
> *To:* Paulo Coimbra; OWASP Foundation Board List
> *Subject:* OWASP tied to trojaned Firefox Add-on
>
> Paulo,
>
> Can you look though your list of people who have started OWASP projects
> and see if this is an official OWASP project?
>
> If so, please reach out to the project leader and let them know about
> the situation. Hopefully, they can update their Firefox Add-on
> collection quickly.
>
> Background:
>
> http://news.netcraft.com/archives/2010/07/15/firefox-security-test-add-on-was-backdoored.html
>
> "I was giving the OWASP Firefox Security Collection a try, installed a
> bundle of extensions unknown to me ..."
>
> Apparently the trojaned Add-on looked for any submitted login
> credentials and submitted them to a specific IP along with the URL and
> some other meta-data.
>
> --
>
> -- Matt Tesauro
>
> OWASP Board Member
>
> OWASP Live CD Project Lead
>
> http://www.owasp.org/index.php/Category:OWASP_Live_CD_Project
>
> http://AppSecLive.org - Community and Download site
>





More information about the Owasp-board mailing list